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Abstract. The aim of this paper is to propose an alternative method to solve 
a Fault Tolerant Control problem. The model is a linear system affected by a 
disturbance term: this represents a large class of technological faulty processes. 
The goal is to make the system able to tolerate the undesired perturbation, 
i.e., to remove or at least reduce its negative effects; such a task is performed 
in three steps: the detection of the fault, its identification and the consequent 
process recovery. When the disturbance function is known to be quantized over a 
finite number of levels, the detection can be successfully executed by a recursive 
decoding algorithm, arising from Information and Coding Theory and suitably 
adapted to the control framework. This technique is analyzed and tested in a 
flight control issue; both theoretical considerations and simulations are reported. 

1 Introduction 

Fault Tolerant Control (FTC for short, [3] , [TT] , [B] ) aims to cancel or contain the 
consequences of faults in an automation system. Such an operation is funda- 
mental in modern technological processes, which are required to assure robust 
performance, stability and safety even in case of partial malfunctions or degra- 
dations. Often, robustness is achieved by redundancy, say by the introduction 
of many control components like sensors; nevertheless, this sophistication natu- 
rally increases the probability of breakdown and then continues to motivate the 
research on reliable control systems. 

The problem of upholding the functionality of an apparatus affected a dis- 
turbance is ubiquitous in the industrial and transport fields. In particular, 
FTC systems are widely applied in those contexts where human health and 
environment are concerned, for example, in the design of mechanical and chem- 
ical plants; nuclear power reactors; medical systems; aircrafts, helicopters and 
spacecrafts; automotive engines, railway and marine vehicles. Another interest- 
ing application is in the communication networks (for instance, wireless sensor 
networks), where the aim of FTC is to avoid unexpected interruptions of data 
flow in case of troubled connectivity or impaired nodes. In all these contexts, 
a satisfying FTC design can prevent non-reversible failures and stops, with the 
ultimate objective of reducing health, environmental and economic damages. 



The literature about FTC is definetely widespread and contributions arise 
from diverse applied mathematical domains. In order to get into the argument, 
there are many survey works that introduce the main theoretical concepts and 
provide classifications of the outstanding FTC approaches, with detailed refer- 
ences. For example, we refer the reader to the recent review |28) . which supplies 
a comprehensive bibliography, and to [12], [2T], [T7J, [25] . 

As far as the applications are concerned, aircraft flight control has been mo- 
tivating FTC research since 1970s, given the evident danger that aircraft faults 
may cause to human safety. Therefore, a significant amount of papers has been 
produced on the argument, taking account of the wide variety of issues and 
models introduced in the study of flight dynamics. For a general overview see 
[20] , [5] and the up-to-date book [5] that in Chapter II provides the list of the 
most common flight control systems, with the relative references. 

In this work, a linear model with a multiplicative disturbance factor is con- 
sidered, which is very common in flight framework f|26|): in particular, we will 
adopt a system presented in [2], [I] and studied also in [27], [TU] as an application 
test. 

Even if FTC systems can be designed in many different ways according to 
the specific aim they are conceived for, in general they all have to perform the 
following main tasks: 

1. the Fault Detection, i.e., the controller makes a binary decision on the 
presence of a malfunction; 

2. the Fault Identification, i.e., the controller determines or estimates the 
size of the disturbance; if necessary, Identification is preceded by Fault 
Isolation, that is, the location of the impaired component; 

3. the eventual active compensation to the fault, i.e., the reconfiguration of 
the system inputs and/or parameters in order to maintain, as much as 
possible, the integrity of the process. 

Fault Detection and Identification (FDI) can be undertaken in diverse ways. In 
the cited works, in particular [B] a comprehensive discussion about the most 
popular FDI schemes is presented: among them, we remind the unknown in- 
put observers (UIO, [TH], [53]) and residual generation, Kalman filtering, the 
statistical methods and the more recent techniques based on neural networks 

(El)-. 

This paper is devoted to the case when a quantized disturbance input is in- 
troduced in a continuous linear system. Such an hybrid model, which combines 
discrete and continuous dynamics, is motivated by the upcoming digitalization 
of modern devices: a quantized disturbance may represent the switches of actu- 
ators or sensors and the malfunctions in digital components; moreover, it may 
describe the behavior of any mechanical device that is known to occupy only 
certain positions and also the approximation of a continuous disturbance. 

Results about FTC for hybrid systems are not very common. In part, 
they can be retrieved in the extensive discussion about the detection of abrupt 
changes in dynamical systems, whose leading work is [4] (while some further 
contributions are given by [12] and [T5]). The problem of estimating brusque 
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alterations is always actual (as an example, see [23] and 22i, which respectively 
concern medical imaging and ground-penetrating radar issues) and in general is 
approched by classical estimation techniques, such as Kalman Filtering. 
Recently, input quantization in linear systems has been studied in particular 
with the aim of reducing the effects of a coarse quantization ([IB], [7])- In this 
work, instead, our purpose is exploiting the information that the disturbance 
input is quantized to detect the fault occurrene: it follows that quantization is 
supposed to be already performed in a satisfactory way. 

In order to evaluate the quantized input disturbance, an original Information 
theoretic approach is proposed in this paper: given the discrete nature of the 
disturbance, FDI is performed by a decoding technique derived from the frame- 
work of digital transmissions and Coding Theory ([H]). The algorithm we will 
introduce has already been tested in Deconvolution issues ([9]). The problem 
we address here still is a Deconvolution problem, given that we assume a linear 
system as model, but in addition a compensation task is introduced to mini- 
mize the consequence of faults: our FTC is conceived with a feedback loop that 
supplies a compensation input in real-time and then continuously reconfigures 
the system (which naturally does not happen in classical Deconvolution issues) . 

The structure of the paper is the following: in Section II, we describe the 
problem we aim to study; in Section III, we introduce the decoding algorithm 
furthcrly used for the Fault Detection; in Section IV, we provide a theoretical 
analysis of the algorithm in terms of minimization of a suitably defined Error 
Function that represents the distance between the optimal behavior (i.e., with- 
out disturbance) and the output of the FTC itself; sensitivity to the false alarm 
(false positive) and to miss fault detection (false negative); promptness of detec- 
tion and reconfiguration. In Section V, wi give the design criteria to obtain the 
best performance from our algorithm, while in Section VI we show a few signifi- 
cant simulations about a specific numerical example, arisen from Flight Control 
literature; finally, Section VII is devoted to some conclusive observations. 

1.1 Notation 

In this paper, the following notation will be used: 

• given a subset A of a set X, 1a '■ X — > {0,1} will denote the indicator 
function, defined by 1,4(2;) = 1 if x belongs to A and 1a(x) = otherwise; 

• the function erfc is defined by erfc(x) = f^°° e~ s ds for any x G R; 

• random variables will be indicated by capital letters; 

• given any variable X, x will denote its estimation. 



2 Problem Statement 

In this paper, we consider processes that can be modeled by the following linear, 
finite-dimensional system: 

x(t) = Ax(t) + Bz(t)f(t) t G [0, T] 

x(0)=0 (1) 
y(t) = Cx(t) 
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where x(t) € R™, g/(i) € R m , f(t) and z(t) are scalar functions and A, B 
and C are constant matrices with consistent dimensions. f(t) is a known input 
signal, while z(t) is a disturbance modelling some fault in the system. Typically, 
z{t) G (0, 1]; if z{t) = 1, the system operates in its nominal regime and is totally 
driven by f(t): this is the condition that one aims to reproduce even when 
z(t) G (0, 1), i.e., when some unexpected breakdown, interruption or loss of 
effectiveness affects the dynamics. 

In order to achieve that, a control input u is introduced, which adjusts the 
dynamics as follows: 

x(t) = Ax(t) + Bz(t) (f(t) + u(t)) (2) 

Notice that to maintain the error-free behavior, say Bz(i) (f(t) + it(t)) = 

B/(t), in principle it is sufficient to fix u(t) = f(t) — 1J, but, in the real 

applications, this is often impossible for the following motivations. Generally, 
the disturbance z is not known and the the controller can access it only through 
the observation of the output y. In order to determine z one has to perform a 
deconvolution, that is, to invert the solution of equation ^ with initial condition 
£c(0) = 0: 

y(t) = Cx(t) = C [ e (i - s)A Bz(s)(/(s) + u(s))ds (3) 
Jo 

Furthermore, the acquisition of the data usually is not exact. This inaccuracy 
can be modeled by an additive noise n(t) in the output (in this work, n(t) 
will be defined as a white gaussian noise): the available function now is r(t) = 
y(t) + n(t). _ 

Under this condition, the inversion of expression ([3]) becomes tricky: decon- 
volution is in fact known to be an ill-posed and ill-conditioned problem, that 
is, the uniqueness of solution is not guaranteed and also small errors in the 
data may raise large errors in the solution. In conclusion, the reconstruction of 
z(t) by inversion may produce outcomes very far from the correct ones; for this 
reason, an estimation approach to the problem is the most suitable one. 

In addition to that, in this work we make the following The controller can 
access y only at certain time instants, say each r time instants. Hence, the 
available data are the samples ru = r(fer) where K G IN, k G {0, . . . , K — 1} (for 
simplicity, let us suppose that Kt — T). 

Moreover, in this work, two further main assumptions are made. 

Assumption 1 The controller can access r(t) only at each t time instants. 
The available data are the samples r^ — r(fcr) where k € {1, . . . , K} and K G IN 
is supposed to be such that Kt = T. 

Assumption 2 The disturbance function z(t) is known to be quantized over 
two levels, say z(t) can assume only two values £o and £i. 

Co and £i may respectively represent the nominal and the faulty conditions 
(Co = 1, Ci €E (0, 1)). Such a binary situation naturally occurs in many engineer- 
ing applications: it can model, for instance, the abrupt blocking of an actuator, 
the sharp loss of efficiency of a device, the sudden disconnection of some com- 
ponent, the functioning of alarm sensors. In the next, we will generally refer to 
the jumps from Co and £i and vice-versa as switch points. 
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Notice that Fault Detection and Identification are coincident under this assump- 
tion: the decision on the fault presence automatically determines also its size. 

In this work, being aware of all these conditions, we aim to estimate z(t) 
as well as possible in order to provide the best control input to the system. 
Clearly, the estimation has to be performed on-line, that is, each time a sample 
is acquired (notice that the sampling inevitably undertakes some delay) : each r 
instants the controller tries to detect eventual faults and consequently updates 
the system design. 

For mathematical simplicity, the eventual switch points of z(t) are suppoed 
to occur at the time instants kr, in order to have synchronization with the 
output sampling. Hence, we can write: 

K-l 

z{t) = ^ Zfcl[fcT,(fc+l)r[(*) Z k e{( ,(l} (4) 

Now, z(t) is equivalent to the binary sequence (zo, . . . , Zk-x) € {Co, Ci} K '- the 
estimation problem is actually discrete. Let z k be an estimate of z k : since the 
operation must be performed on-line, we expect z k _\ = T>(ri, . . . , r k ), where T> 
indicates a detection/estimation function. 

Taking account of the conditions mentioned before, the natural definition of 
the control input is: 

u(t) = f(t)(j^-ljl [kT!(k+1)T) (t) k = 0,...,K-l (5) 

u(t) is computed and introduced in the system each r time instants. Consider 
now a generic interval [fcr, (fc+l)r). Being based on the estimate z k -i relative to 
the previous interval, u(t) is deceptive when a switch occurs at fcr: the delay r 
underlies a temporary, unavoidable deviation (even in case of correct detection) 
from the right trajectory. This issue will be widely discussed in the next; for the 
moment, let us just observe that switch points cause the most of the problems in 
our FTC model. For this reason, permanent interruptions, i.e., failures (which 
involve just one switch point) are definitely preferable than transient faults for 
our purpose, though this should appear as a paradox in the practice. 



2.1 Illustrative Example: a Flight Control Problem 



A typical example of FTC problem arises from the literature of Flight Control. 
Systems of kind are often used to model different aspects of the aerospace 
dynamics. For instance, if we consider the matrices 



A 



-0.5162 
-0.6896 




26.96 
-1.225 




178.9 
-30.38 
-14 



(6) 



B 



-175.6 

14 



C = [1 12.43 0] 



(7) 



the system (JlJ represents the longitudinal short-period mode of an F4-E jet with 
additional horizontal canards, in supersonic conditions. The vector x determines 
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the longitudinal trajectory: its three entries respectively represent the normal 
acceleration, the pitch rate and the deviation of elevator deflection from the 
trim position. The output y(t) is the C* response, a usual parameter in flight 
mechanics that synthesizes the aircraft response to the pilot inputs; typically, 
the C* response must lie in a given admissible envelope. 

This application example is illustrated in the Appendix D.l of [3j and studied 
also in Q] , [57] , [TU] . 

In this context, f(t) can be interpreted as the elevator deflection command 
and z(t) as the indicator of the status of the elevators: z = Co may attest a good 
status, while the switch to z = Ci may denote an abrupt loss of effectiveness. 
In such a case, the controller is required to detect the accident and add the 
suitable control input u(t) in order to recover the optimal trajectory, say the 
one imposed by the flight plan. In terms of the output y(t), one aims to maintain 
or to bringit it back into the prescribed envelope. 

Notice that in this case, it makes sense to suppose the fault to be definitive, 
that is, the elevator cannot recover its efficiency during the flight. We then 
talk about a failure. This situation often occurs in the applications, which 
motivates us to focus on it in our following analysis. This Flight Problem will 
be retrieved later and used as test application for the implementation of our 
detection algorithm, which is introduced in the next section. 

3 Fault Detection: The One State Algorithm 

Given the quantization of Zk G {Co; Ci}j it makes sense to settle the same set for 
the estimation: ik £ {CoiCi}- This consideration arises from coding/decoding 
techniques in digital transmissions, where unknown input messages, that are 
combinations of symbols from a known finite alphabet, must be recovered within 
the same alphabet. In other terms, the decoder is an estimator that exploits the 
prior information about the input source. 

The detection method that we introduce in this section is derived from an 
optimal decoding algorithm named BCJR after its authors Bahl, Cocke, Jclinck 
and Raviv (see [3j). Given the noisy output of a digital transmission, the BCJR 
computes the probabilities of all the possible codewords, implementing a max- 
imum a posteriori (MAP, |19| ) estimation through a recursive procedure. In 
particular, given codes defined on trellises, it evaluates the a posteriori proba- 
bilities of each state. 

The classical version of the algorithm is constituted by two recursions (one 
forward, one backward) and requires the transmission of the whole message 
before decoding. Moreover, it also requires the system to have a finite number 
of states. Nevertheless, it is possibile to modify the proceudre to avoid these 
bonds: in spite of reliability, one can make it causal (hence to work on line) by 
removing the backward recursion and also it can be simplified by considering 
not all the possible states, but just a fixed number of states. In [5], these 
variations are widely discussed. The algorithm we introduce here is exactly a 
causal BCJR considering just one state at each step (for this reason we refer 
to it as the One State Algorithm) . The compuations of the probabilities is in 
this case straightforward and reduces to the comparison between two Euclidean 
distances at each step. This makes the algorithm definetely low-complexity, 
which encourages its implementation. Its performance actually depends on the 
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specific application case and will be analysed in the next sections. 

Now, let us describe the operative structur of the One State Agorithm in 
detail. 



3.1 One State Algorithm's pattern 

Before showing the algorithm, notice that the solution of the equation ^ can 
be written recursively as 

Xk — e rA x k - 1 + Zfc_i(l - Ufc-i) / e sA B/(fcr - s)ds 



[ e sA Bf(kr - s)ds 
Jo 



= c rA x k - l I Zh ~ X f » sA Rf^--.W. 
x = 



where x k = x(kr), k = 0, . . . , K. Now, the key idea of the One State procedure 
is to provide a recursive estimation of the state x k and of z k ^i given the current 
lecture r k and the estimate of the previous state x k -i- 

In the next, let us use the following notation: n k — n(fcr), dE indicates the 
Euclidean distance and finally: 

M T . fe = f e sA Bf(kT-s)ds (9) 
Jo 

The One State Algorithm's pattern is then the following: 

1. k = 0. Initialization: xq = 0; 

2. k=l. 

System evolution (with no compensation): Xi = ZoM T i. 
Lecture: ri = yi + n\ = Cx\ + m. 

Disturbance Estimation: zo = <> „ . 

I Ci otherwise 

State Estimation : x\ = zoM~ T ,i- 

3. k = 2,...,K. 



System evolution (with compensation): x k = e x k -i + 5^-M Ti fc. 



.11- i — 

z k-2 

Lecture: r& = y& + = Cx^ + n^. 

rA^c, . j_ Co 



Co if d E (r k , Ce TA i fc _i + ^CM T , fc ) 



Disturbance Estimation: 2 fc _! = <{ < d E (r k , Ge rA x k - 1 + ^CM T 



zi otherwise 
State Estimation: x k = e x k -i + ; ^ zi M r / c . 



Zk-2 



Notice that the system does not have compensation in the first interval [0, r), 
as the first useful lecture is performed at time t = t. For the binary nature of 
each z k , the process of estimation/detection reduces here to the comparison of 
two distances. Moreover, the storage required is of two locations (one float for 
the current state and one boolean for the current disturbance): the algorithm 
is definitely low-complexity. 
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4 Theoretical Analysis of the One State Algo- 
rithm 



This section is devoted to the theoretical description of the behavior and perfor- 
mance of the One State Algorithm applied to the system ([lJ-Q with a failure, 
that is, there exists a time instant Tp = kpT £ [0, T], kp £ IN such that 

S 6(0,1) tt \t f ,T} (10) 

or equivalently, z k = Co for k = 0, 1, . . . , kp — 1 and z k = Ci for k — kp, 1, . . . , K— 
1. Switch points are particulary tricky and the choice to focus on a system with 
just one switch point allows to isolate the problem and to understand completely 
the consequences of a switch. On the other hand, this case is crucial for the 
applications, where the problem of failures is dramatically serious. 

Our model can be naturally described in probabilistic terms: the fact that 
lecture noise is supposed to be white gaussian, (that is, a sequence of inde- 
pendent gaussian random variables N k ~ A/"(0, a 2 )) introduces some amount of 
uncertainty in the system. In particular, also z, x, y, r, x are random vari- 
ables, as they are directly or indirectly functions of the noise. To emphasize 
that stochastic nature, from now onwards, we will indicate random variables 
by capital letters. Let us resume the complete recursive system in probabilistic 
terms: 

X = 0, X Q = 0, Z_i = Co = 1 
X k = e rK X k _ x + ^M T . k 

Zk-2 



(11) 



Y k — CX k 
R k =Y k + N K 

Zk-l = D l{Rk, Xk-l, Zk-2) 

X k = e TA X k _ 1 + ^M Ttk , k = l,...,K 

Z k -2 

where T>\ indicates the One State detection function. Notice that Xq, X\, 
Y\ are actually deterministic, in particular, fixing Z_\ — Co = 1 is just an other 
way to state that there is no compensation for the system in the first interval 
[0,r). 

Finally, we remark that z{t) is not supposed to be driven by some prob- 
abilistic law. Such an information on the input might be useful to improve 
the detection and has been studied in other deconvolutio contexts (see, for in- 
stance, [Hj). Nevertheless, in this work we rather prefer to focus on a specific 
disturbance. 



4.1 The Error Function 

The performace of the algorithm must be determined through the evaluation 
of a suitable error function, say a distance between the desired and the real 
trajectories. In this work, we adopt as error function the discrete stochastic 
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process (-Bfe)/c=o,i,... that describes the signed distance between the trajectory 
of the system with control and compensation X k and the nominal trajectory 
x N (t), at time instants fcr, fc = 0, 1, . . . : 

' E k =X k -x N (kT) 

= e K E k _ x + - l) M Ttk k = l,...,K (12) 

. E a = 0. 

The so-defined error function is characterized by the following fact:. 

Proposition 1 For any ko,n <G IN, the event {E ko+n = e nTA E ko } corresponds 
to the event {Zk-i = z k for all k = ko, ko + 1, . . . ko + n]}. 

Proof It immediately follows from the definition of E k : for any neS, the event 
{E k+ i = e rA E k } is equivalent to {Z k -\ = z k } and then {E ko+n = e nrA E ko } 
corresponds to the event {Z ka _\ = z ko ,Z ko = z ka+1 , Z ko+n _i = z ko+n }. ■ 

Notice that under the hypothesis of the proposition and if A is asymptotically 
stable, E k exponentially decades to zero, regardless of the initial value E ko . 
Moreover, observe that the condition Z k -\ — z k is not the event of correct 
detection Z k — z k , since the feedback in the system implies a delay r; however, 
if z k is constant over the considered interval, the two events are the same. In the 
next, we will focus on this context of constant disturbance, which models the 
state of the system before and after an irreversible failure. In particular, we will 
study the conditions to obtain correct detection, which leads to the exponential 
decay of the error; we will show that even if we cannot achieve the certainty 
of decodig exaclty in the presence of noise, however we can approximate this 
condition satisfactorily, that is, with a probability close to one, at least in some 
common situations. 

More precisely, our goal is to study the probability of the event E ko+n = 
e nrA E ko conditioned to the fact that z k constant for anyfc e [k n ,k + n] and 
given some initial conditions at kg concerning the state of the algorithm, which 
will be defined later. In particular, we will find out the conditions that make 
this probability sufficiently close to one, for a sufficiently large n. This includes 
the probability to obtain a very small Ek, starting from any initial error E ko , 
and to preserve it from further perturbations. In the next, we will give the 
formal definition of the probability described now and we will refer to it as the 
probability of n-step error decay. 

Before that, we need to evaluate the detection error probability, which is 
defined and computed in the next paragraph. 

4.2 Computation of the Detection Error Probability 

Let us define the stochastic process (£ , fe)fe=o,i, -- triat represents the distance 
between the states estimated by the One State procedure and the ones corre- 
sponding to the system with compensation: 

D k =X k -X k = e TA D k ^ + % 1 ~ Zfc - 1 M T . fe 
D = 0. 

Then, 
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Definition 2 Given k G IN, d <E R™ and £ € {Co,Ci}> we define the Detection 
Error Probability (DEP for short) as 



DEP(fc, d, C) = P [Z k ± z k \D k = d, Z fe _! = C 
By the definition of D k , the DEP is equal to 



P{Z k ? z k ,D k+1 = e rA d+^^M T , k+1 \D k = d,Z fc _! = z k - X ) (13) 

Zk-l 

where z k indicates the complementary of z k in {Co,Ci}- This probability may 
be interpreted as the transition probability of the Markov Process 



(D k , Zk-i 



fc=0,l, 



in the state space D x {Co, Ci}; D C R™, with starting state (Do, Z-i) = (0, Co)- 
The DEP, which is fundamental to calculate the probability of the event 
{E kg+n = e nrA E ko } as shown in the next paragraph, can be analytically evalu- 
ated in the case of scalar output (m = 1 in the system 0) and extended to the 
case m > 1 with no particular difficulty, through some numerical techniques. In 
this paper, we discuss in the case m = 1, which turns out to be interesting for 
the possibility of analytically describing the behavior of the DEP with respect to 
the parameters and to analytically derive design criteria for the fault detection. 
In the sequel, we then assume Y k , R k G R, k = 1, . . . , K. 



Let 



s;: 



Ce TA In 



w 



-CM Tjfc G R 



with w G {Co, Ci} be the two possible received signals estimated by the One State 
Algorithm at the generic step k. The DEP is then computed in the following 

Proposition 3 For any k = 1, 2, . . . , K, 

DEP(fc- l,d,C) = 



= ierfc 



Co-Ci 



2C 



CM T 



Ce rA d 



(1-21{<o}(**-i))( 



i-2i (s c 1)+oo) (^°; 



r^2 



(14) 



DEP(fc - 1, d, C)l(* h _i=Ci) = P [Zfc-i = Co 



Proof Under the hypothesis that z k -\ — Ci the DEP is given by: 

Dk-i = d, Z k -2 = C) z k-l = Ci 
D k -i = d, Z k - 2 = C, Zk-i = Ci 

D k -i = d, Z k -2 = C, Zk-l = Ci 
/' I /?/• ' 1 ^ - Dk-x = d, Z k _ 2 = C, z fe _i = Ci 



P[\R k -Sl°\ < \R k -S?\ 



P[R k < 



if st > st 

otherwise. 
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If Si 1 >S C k °: 



p(n k < s *t^ 



Dk-i = d, Z k - 2 = C> z fe-i = Ci = 



P ( /?,, Ce T \X fc _i + <5°±^CM T , fc |D fc _i = d 



2C 



Co + Ci 



P ( CX fc + 7V fe < Ce TA X fc _i + ^^-CM T , fe IDfc.! = d 
= P ( Ce TA X fc _i + ^CM r , fe + N k < Ce TA X fc _i + ^CM T , fc |D fc _i = d 



p(^<C^ A d+^^CM T ^ 
1 /-Ce rA d+ ^CM T , fe \ 



= -erfc 
2 



(7\/2 



The last step depends on the gaussian distribution of N k ; notice also that 
^CM T , fc = - Si" > 0. 

It follows also that for S^ 1 < S C k °: 



P\R k > k " fe 



Si 1 + 5 4 Co 
2 



D k ^ = d, Z fe _ 2 = C, z k -i = Ci J = l-^erfc I ^J 5 - 



whcre i^CM T , fc = S* 1 - S*° < 0. 
Summing up, 

DEP(fc-l,d,C)|( Zfc _ 1=Cl ) = 



P (\R k -Si°\< \R k - s£| |D fc _! = d,Z fe _ 2 = C,* fc _i = Ci) 



| erfc 



1 — |crfc 



-Ce TA d+^i2^CM T , t 

rA j , Cl-Cp , 



otherwise. 



This actually corresponds to the false negative probability. The false positive 
probability DEP(fc— 1, d, C)l(z fe _i=Co) can be computed in the same way and the 
result is: 

DEP(fc - 1, d, C)U_ 1= Co) - p (Z k -i = Ci| Dk-i = d, Z k _ 2 = C, z k -i = Co) 



p(|fl fc -S£| < \R k -Si°\ 



Dk-i — d, Z k - 2 — C> z k -\ — Co 



1 — ^crfc 



-Ce TA d-^l5^CM T 
^75 



^crfc 



-Ce rA d-^CM Tit 



if st > si a 



otherwise. 



The thesis is then proved. 
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Remark 1 J/d = OeE™, 



DEP(fc- 1,0,C) = o erfc ' 



2 \ ay/2 

l erfc (\S?-S£\/2 
2 I ax/2 



(15) 



This expression suggests an Information theoretic intepretation of our problem. 
In fact, the presence of the gaussian noise in the data lecture can be thought 
as if signal y k was transmitted on an Additive White Gaussian Noise (AWGN) 
channel. If -Dfc-i = 0, yk can be S'j? or S^ 1 . Moreover, if we shift the signals by 

their average, so that they become antipodal ± k „ k , the average energy per 



si°-S Cl 



2 



channel use at step k is £ k = I k 2 k J ■ Given that the spectral density of 

the gaussian noise is Nq = 2a 2 , the argument of the erfc function in (15) turns 
out to be the square root of the so called Signal-to- Noise Ratio (SNR), defined 
as SNR k — £ k /N$, of our ideal channel. 

Generally, the SNR compares the magnitudes of the transmitted signal and 
of the channel noise and it is widely used in Informatiom Theory to describe 
channel performance. In our framework, the SNR determines the reliability of 
the detection, say the reliability of the channel where yk is ideally transmitted. 
This remark emphasizes that our problem is analogous to a common digital- 
transmission paradigm and bears out the idea of using decoding techniques to 
the detection task. 

In the next, we will use the common dB notation for the SNR, that is, we 
express it as 10 log 10 of its value. 



Remark 2 Since typically Ci < Co; by expression (15) we have 



DEP(fc - 1,0, Ci) < DEP(fc- 1,0, Co). 

Given that Z k -2 = Cl * s generally more likely when Zk-i = Ci (otherwise our 
detection method would be improper) , we can conclude that our detection algo- 
rithm is more reliable after the failure, or, in other terms, it is more sensitive 
to false positives. 

4.3 Computation of the Probability of n-step Error Decay 

Given a time interval [&o, fco + n), k^,n G IN, ko > 1, we can formally define the 
probability of n-step error decay (EDP™ for short) as 

EDP n (fc ,d,C,?7) = 

P (E ko+n = e nTA E ko \D ko _ 1 = d, Z ko -2 = C z k = r) for any k = k - 1, . . . , k + n - 1) 



where d G R™, (,n G {Co,Ci}- Notice that z k is assumed to be constant in 
[ko — 1, fco +ri— 1], that is, we consider the system before or after a failure event. 
Recalling the Proposition [T] the EDP is connected to the DEP by the following 
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expression: 

EDP 1 (k ,d,C,r]) = P [E ko+ i = e rA E ko \D ko ^ 1 = d, Z fco _ 2 = C^fco-i = z h, = V 



= P [ Z k -\ = Zfeol-Dfca-l = ^ Z k -2 = (,Zk -l = Zk = V 

= 1 -DEP(/c - 1, d, C) I 

I Zk O — 1 = 1 7 

that is, the Error decays when the detection is correct. Notice that this relation 
between EDP and DEP subsists in virtue of the condition Zfc -i = z ko : if ko 
were a switch point, the feedback delay would produce a deviation in the Error 
Function in case of correct detection. 
Generalizing to n steps, 

EDP n (fc ,d,C,?7) = 

= P(Zk -i = Zk = ■ ■ ■ = Z k(s+n - 2 = ?7|-Dfc -i = d, Zfco-2 = C) 
= p((D fco A -i) = (e^d^lOD^Ao-a) = (d,C)' 



• [J P((D feo+m! Z fco+m _ 1 ) = (eS m+1 ^ A d, V )\(D ko+m ^Z ko+m _ 2 ) = (e mTA d, V ) 

m—1 

n-l 

= EDP 1 (fc ,d,C,7?) J] EDP 1 (fco + rn, e""" A d, rj, rj) 

m—1 

n-l 

= (l-DEP(fco-l,d,C))i _ J (l-DEPCfco + TO-l.e^r?)), 



m—1 



By Proposition [3j this is equal to 
EDP"(fc ,d,C,?7) = 



-erfc — 



n o erfc 



^CM T , fe0 | + 07 A d [(1 - 21 {Co} (r?)) (l - 21 (s < 1+oo) (S<°))^ 



^CM r , fc0 



+m 



aV2 

Ce (m+l)rA d 



(l-2%o}W) (l-21 (s c Ui+oo) (Stm) 



(16) 



Our next goal is to evaluate the EDP" in different instances of system ( |1|10 1 . 
First of all, let us distinguish what happens before and after the failure. 

4.4 False positive evaluation 



Let suppose the system to be affected by a failure according to the model ( 10 ) 
with kp > 1, that is, the system is not faulty from the beginning. In particular, 
since there is no compensation at the first time step (or equivalently Z_\ = Co)> 
no false positive is produced at k = 0. Then, studying the EDP in [ljfep) 
actually corresponds to evaluate the probability that no false postives occur 
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during the whole pre- failure transient regime. Given that Dq = 0, we have 



EDP^-^l.CCo.Co) = H 9 crfc 



Co-C 

2Co 



aV2 



(17) 



Since E 1 =0 and D = 0, then EDP fei?_1 (l, 0, Co, Co) = P{E kp = 0) = P{D kp = 
0). 



4.5 Switch Point 

Suppose that D kp = 0, then in particular, Z kF -\ = z kp -i and Z kF -i i=- z kp . 
In other terms, the detection is correct, but the compensation, based on the 
detection at the previous step, is not efficient in correspondance of a switch 
point. Our detection method cannot control what happens at step at step kp, 
that is, in the time interval [T F ,T F + r). 



4.6 False negative evaluation 

Given that we cannot control the system immediately after the switch point, 
it is likely that E kp+ \ ^ 0. We now want to study the probability of decay of 
the Error Function towards zero, which actually corresponds to the evaluation 
of the false negatives. In fact, under the hypothesis D kp = (i.e., no false 
positives and in particular Z kp _i = Co), for an y n € IN, 

n-l 

EDP"(fc F + 1, 0, Co, Ci) - EDP 1 ^ + 1, 0, Co, Ci) II EDpl ( fc f + 1 + m, 0, Ci.Ci) 

rn — 1 

) ■ 

(18) 

Notice that n can be any positive integer, since the failure state is not reversible. 
Moreover, it is clear that if n — > oo, then EDP n -4- 0, that is, it is not likely that 
the Error decays to zero and remains null forever. However, we can approximate 
this ideal situation, as we will see in the next. 

The considerations about the EDP made in this section are now applied to 
the case of constant input f(t). More precisely we will exploit them to establish 
suitable design criteria, that is, which is the best choice of parameters to obtain 
the maximum performance from the One State Algorithm. 



4.7 Constant input f(t) 

If the input f(t) is constant, say / = 1, the system evolution does not depend 
on time step k. In fact, M Tjk = M r = (e rA - I)A _1 B for any k = 1,...,K. 
Hence, 



EDP"(l,0,Co,Co) = 



-crfc — 
2 



%=^CM T 



aV2 



(19) 
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for any n £ IN such that n + 1 < Uf and 



EDP n (fc F + l,0,Co,Ci)= 2 erfc 



aV2 




aV2 



(20) 



In terms of signal-to-noise ratio, we can write 

V / SNR(t 7 ) 



^CM T 



cr-v/2 



Jerfc f- v / SNR(Co) 



so that 

EDP"(l,0,Co,Co) = 

EDP n (fc F + 1, 0, Co, Ci) = ^erfc (-VSNR(Co)) ^erfc (VsNR(Ci) 

Under the hypothesis < Ci < Co = 1, SNR(Co) < SNR(Ci), that is EDP m (fc , 0, Co, Co) < 
EDP m (fci, 0, Ci, Ci); m other terms, our detection algorithm is more sensitive to 
false positives, then our fault tolerant control method is more efficient after the 
failure. Hence, the suitable design criteria for the pre-failure state will auto- 
matically be appropriate also for the post-failure state. This is why in the next 
we will generically name 



SNR = SNR(Co) and EDP" = EDP"(/c , 0, Co, Co) = ^crfc (-VSNR 

^(21) 

The next section is devoted to the study of design criteria for our FTC 
system, on the basis of the theoretical analysis developed in the last pages. 
Particular attention will be paid to the case of constant fit), for which optimal 
criteria can be formulated. 



5 Design Criteria 

In this section, our aim is to provide the design criteria to obtain the best 
performance from our FTC scheme, based on the One State Algorithm. 

The key point of this issue is that the controller is supposed to be free 
to choose the sampling time step r, hence our goal is to give the criteria to 
determine the otpimal r, which, in our framework, can be defined as the one 
that minimizes the Error Function, in the sense that we now explain. Given 
the failure system ( 1|10 ) and a time window W — tit not containing the switch 



point, our first purpose is to maximize the probability that Ek remains null (if 
we set before the failure) or decays to zero (if we set after the failure) along the 
interval W . Furthermore, given that in (Tp,Tp + r] a correct detection causes 
a failed compensation and a consequent abrupt deviation in the output y (as 
we will show in the numerical simulations), our second purpose is to minimize 
the peak of this unavoidable deviation. 
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This qualitative discussion is now quantified in two different input instances: 
f(t) constant and f(t) sinusoidal. As far as the first case in concerned, we 
will show that the theoretic analysis of Section [4] provides the instrument to 
determine the sampling time that minimizes the Error Function in an analytic 
way. On the other hand, when the input is not constant some difficulties arise in 
the definition of the optimal t; however, we will explain how to obtain suitable 
values of r by a numerical numerical computation, still based on the analysis of 
Section HI 



5.1 Design Criteria in the case of constant input f(t) 



Recalling the Paragraph 4.7 and in particular the simplified notation ( |2l[ ), let 
us explain how to define the optimal r when f(t) = 1. As just said, we aim to 
maximize the EDP in a given time window W not containing the failure instant 
and to minimize the peak of the deviation immediately after the failure. In 



particular, if Ek F = 0, by definition 12 the extent of the peak in the output is 
given by max (e (o,T] | CM t | . In brief, we intend to provide 

n = argmax EDP^ T and T2 = argmin I max |CM t | ) (22) 

r>0 r>0 \te{0,r] J 

The optimum will be Ti = T2, but in general this is not the case. Then, we 
define the optimal r as follows: we do not look for the maximum EDP, but we 
just require EDP W ^ T > 1 — e where e « 1 is a fixed tolerance. In other terms, 
we demand that the EDP be very close to 1. Then, the optimal t, indicated by 
T opt = T opt(£)i is : 



T opt = argmin max |CM t | . (23) 

r: EDP"'/r>l_ E \ t6 (°> T ] 



5.1.1 Application to the Flight Control Problem 



Let us now compute r opt for the Flight Control Problem introduced in the 
Paragraph 2.1 in the case of constant input f(t). In the Figure]!] the graph of 
CM r in function of r is shown. In particular, we notice that CM r is negative for 
any r > 0, achieves a global minimun at To = 0.55 and converges to a constant 
value for a sufficienlty large r. Then, if t > To, max t6 ( ,T] |CM t | = |CM To |, that 
is, the peak is fixed and we cannot control it. This undesired occurrence can be 
prevented by imposing 

T e(o, T ]. 

In this interval, CM r is monotone decreasing and max tg ( r ] |CM t | = |CM T |. 
Then, fixed the tolerance e, our aim is the computation of 



T opt = argmin |CM T |. 

re (0,t ] :EDP h '/ t >l-e 



(24) 



Notice that 



EDP 



W/t _ 



1 



erfc ( -VSNR 



W/t 



|%^CM T | 



1 er fc ( - ' 2Co 

2 6 1 aV2 



-i W/t 
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Figure 1: 



is monotone increasing as a function of r. Then, let r m = r m (e) be the minimum 
r in (0, r ] such that EDP w/t > 1 - e (if it exists). Then 



T opt = argmin|CM r | = t„ 

T>T rn 



(25) 



Now, let assign numerical values to the parameter and solve the corresponding 
instance. Suppose that: 



Co = i Ci 



o*=2 



(26) 



e = KT3 W = 20 



In this case, r opt = 0.112 as shown in Figure [2j 

The value of r op t clearly depends on the noise and in particular there can exist 
noise values for which there is no r making EDP n ' / T > 1 — e: for instance, this 
occurs if we consider a 2 > 34.72 in the example ( f26| (the range of admittible 
cr 2 's with the corresponding r opt 's is shown in Figure [3]). In such situation, one 
should allow a lower threshold 1 — e. 



In Section [6] we will show a few simulations about the Flight Example. 



5.2 Design Criteria in the case of input f{t) = sint 

When f(t) is not constant, it is more difficult to study analytical design criteria 
as the quality of the detection depends on time. In particular, at each time step 
kr the detection is affected by the values of f(t), t £ ((k — l)r, kr), then any 
detection step is different from the others and an analogous of (23) cannot be 



provided: roughly speaking, the optimum would be to change r according to 
the shape of f(t) in each considered interval. 
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Figure 2: EDP W / T in function of r in the instance (26). The second graph is a 
zoom that allows to see that r opt = 0.112 
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I 1 1 1 1 1 1 1 ' — 

4 8 12 16 20 24 28 32 

a 2 



Figure 3: The optimal r's as the noise variance a 1 changes (Co = 1, Ci = \i E = 
10~3, W — 20) 



When f(t) is periodic, we can suggest some numerical computation in order to 
fix a suitable r. In fact, if we compute EDP W/ / T (1, 0, Co, Co) f° r a sufficiently large 
W, we get an idea about the sampling times that are more suitable. On the other 
hand, there is no way to control the amplitude of the deviation in case of failure, 
since this again depends on time. The idea is then to choose as samling time that 
maximises EDP W/ / T (1, 0, Co, Co) or that makes it larger than a given threshold, 
being conscious that this does not arrange the anavoidable deviation. Let us 
illustrate these observations in the Flight Control Problem with f(t) = smt and 
parameters given by (26). First, let us numerically compute EDP W '/ T (1, 0, Co, Co) 
in function of t, the result being presented in Figure [4] the graph shows a clear 
unsettled behavior which cannot be described analytically. However, it also 
suggests the values of r that give an high EDP w ' /r (l,0,Co,Co) and which can 
then considered suitable. No general consideration can be derived, except that 
a very small r is in general not preferable. 

More details about this instance can be retrieved in the simulations presented 
in the next Section. 



6 Flight Control Problem: a few simulations 

In this section, we show some simulations concerning the application of the One 



State Algorithm to the Flight FTC example presented in the Paragraph 2.1 and 
studied in the previous paragraphs. 

In a time interval [0, T] — [0, 40], we suppose that a failure occurs at Tp = 20 
and causes the switch of the disturbance function z(t) from Co — 1 to Ci = 1/2 
(Ci = 1/2 might represent a loss of effectiveness of 50% of the elevator of the 
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Figure 4: EDP W / T (1, 0, Co, Co) in function of t in the instance (26) (Co = l,Ci = 
1 

2 - 



i a 2 = 2,W = 20). 



aircraft). The lecture noise is a gaussian random variable Af(0,2). We consider 
boht the cases of input / = 1 and f(t) = sini and we show the behavior of the 
One State procedure for different values of r. The graphs represent the output 
y(t) of the system. 

Figure [5] reproduces the case / = 1. The first graph compares the nominal 
system, that is, the desirable trajectory, to the faulty system with no compensa- 
tion: after the failure, the trajectory of the latter is sensibily uncorrect. In the 
other graphs, we introduce the compensation using the One State Algorithm: 



as proved in the Paragraph 5.1.1 , r op t = 0.112. In the second graph, we fix 
r = 0.4, which is larger than T opt : we obtain a correct detection at each step, 
but the unavoidable deviation is not optimized: in fact, considering r opt (third 
graph), we have a smaller peak after the failure. Furthermore, we see that also 
r = 0.09 is suitable, even if, the corresponding EDP 147 ^ > 1 — e. On the other 
hand, r = 0.07 assures a good detection only after the failure (this is consistent 
with our observation about the different sensitivity ot false positives and false 
negatives), while a too small sampling time (r = 0.001) causes instability: the 
detection is not reliable and the Error is always nonnull. 

Figure [6] concerns the case f(t) — sini. Again, the output of the system 
with no compensation in the first graph undergoes an evident change after the 
failure at Tp — 20. Instead, applying the One State Algorithm with time step 
r = 0.525 (this value being suggested by the numerical computation of the 
EDP) allows to recover the nominal condition. The same occurs with r = 0.35, 
which is preferable for the smaller amplitude of the unavoidable deviation in 
correspondence to the switch point. 

When t = 0.3, some detections fail (the error percentage is about 4%), but 
the output y is not dramatically affected by them. Furthermore, when t = 0.01 
the error percentage is about 9%: many deviations occur, but they are not very 
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large. In particular, they are quite null when the slope of y(t) is steeper. In 
correspondence to the switch point a plain oscillation is present, but it is less 
remarkable than in the cases of larger r. 

Decreasing t again, the percentage of wrong detections does not overpass 
10%, but for very small values of t, the system is unstable (see for instance, the 
last graph corresponding to r = 0.001) and many oscillations occur. 

7 Conclusions 

In this paper, an original Fault Tolerant Control method, based on Information 
and Coding Theory, has been introduced. Given a linear system with a distur- 
bance and supposing that the disturbance function is quantized over two levels, 
the detection task can be tackled by decoding techniques. In particular, we 
have introduced the One State Algorithm which is a low-complexity, recursive 
decoding algorithm, derived from the BCJR. Its application to a Flight FTC 
problem has generated satisfactory outcomes even in case of relative high noise 
in the data acquisition. 

The low-complexity encourages the implementation of this method; more- 
over, adjusting the sampling time step r, one can improve its performance, 
according to the different values of noise and of input /. In some cases, for in- 
stance when / is constant, an optimal value of r can be analytically computed 
with sufficient precision, where the optimality is intended in terms of trade-off 
between convergence conditions and amplitude of the deviations. Other ar- 
rangements might be obtained changing the values and the number of levels of 
quantization. 
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Figure 5: Output y(t): Nominal System vs System with a failure at Tp = 20, 
with lecture noise of variance a 2 = 2 and / = 1. Six different cases are shown: 
the first graph represents the system with no control and compensation; the 
other ones are with compensation, respectively with time step r equal to 0.4, 
0.12, 0.09, 0.07, 0.01 
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Figure 6: Output y(t): Nominal System vs System with a failure at Tp = 20, 
with lecture noise of variance a 2 = 2 and f(t) = sini. Six different cases are 
shown: the first graph represents the system with no control and compensation; 
the other ones are with compensation, respectively with time step r equal to 
0.525, 0.35, 0.3, 0.01, 0.001 
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